<!DOCTYPE html>
<title>CORS - Access-Control-Allow-Credentials</title>
<meta name=author title="Odin Hørthe Omdal" href="mailto:odiho@opera.com">

<script src=/resources/testharness.js></script>
<script src=/resources/testharnessreport.js></script>
<script src=support.js?pipe=sub></script>

<h1>CORS - Access-Control-Allow-Credentials</h1>
<div id=log></div>
<script>

var url = CROSSDOMAIN + 'resources/cors-cookie.py?ident='


/*
 * widthCredentials
 */
// XXX Do some https tests here as well

test(function () {
    var client = new XMLHttpRequest()
    client.open('GET', CROSSDOMAIN, false)
    client.withCredentials = true;
}, 'Setting withCredentials on a sync XHR object should not throw')

async_test(function () {
    var id = new Date().getTime() + '_1',
        client = new XMLHttpRequest()
    client.open("GET", url + id, true)
    client.onload = this.step_func(function() {
        assert_equals(client.response, "NO_COOKIE")
        client.open("GET", url + id, true)
        client.onload = this.step_func(function() {
            assert_equals(client.response, "NO_COOKIE")
            this.done()
        })
        client.send(null)
    })
    client.send(null)

}, "Don't send cookie by default");

async_test(function () {
    var id = new Date().getTime() + '_2',
        client = new XMLHttpRequest()

    client.open("GET", url + id, true)
    client.withCredentials = true
    client.onload = this.step_func(function() {
        assert_equals(client.response, "NO_COOKIE", "No cookie in initial request");

        /* We have cookie, but the browser shouldn't send */
        client.open("GET", url + id, true)
        client.withCredentials = false
        client.onload = this.step_func(function() {
            assert_equals(client.response, "NO_COOKIE", "No cookie after withCredentials=false sync request")

            /* Reads and deletes the cookie */
            client.open("GET", url + id, true)
            client.withCredentials = true
            client.onload = this.step_func(function() {
                assert_equals(client.response, "COOKIE", "Cookie sent in withCredentials=true sync request")
                this.done()
            })
            client.send(null)
        })
        client.send(null)
    })
    client.send(null)
}, "Don't send cookie part 2");

async_test(function () {
    var id = new Date().getTime() + '_3',
        client = new XMLHttpRequest()

    /* Shouldn't set the response cookie */
    client.open("GET", url + id, true)
    client.withCredentials = false
    client.onload = this.step_func(function() {
        assert_equals(client.response, "NO_COOKIE", "first");

        /* Sets the cookie */
        client.open("GET", url + id, true)
        client.withCredentials = true
        client.onload = this.step_func(function() {
            assert_equals(client.response, "NO_COOKIE", "second")

            /* Reads and deletes the cookie */
            client.open("GET", url + id, true)
            client.withCredentials = true
            client.onload = this.step_func(function() {
                assert_equals(client.response, "COOKIE", "third")
                this.done()
            })
            client.send(null)
        })
        client.send(null)
    })
    client.send(null)
}, "Don't obey Set-Cookie when withCredentials=false");

function test_response_header(allow) {
    var resp_test = async_test('Access-Control-Allow-Credentials: ' + allow + ' should be disallowed (async)')
    resp_test.step(function() {
        var client = new XMLHttpRequest()
        client.open('GET',
            CROSSDOMAIN + 'resources/cors-makeheader.py?credentials=' + allow,
            true)
        client.withCredentials = true;
        client.onload = resp_test.step_func(function() {
            assert_unreached("onload")
        })
        client.onerror = resp_test.step_func(function () {
            assert_equals(client.readyState, client.DONE, 'readyState')
            resp_test.done()
        })
        client.send()
    })
}

test_response_header('TRUE')
test_response_header('True')
test_response_header('"true"')
test_response_header("'true'");
test_response_header('false')
test_response_header('1')
test_response_header('0')
test_response_header(',true');
test_response_header('true,');
test_response_header('true%0B');
test_response_header('true%0C');

</script>
